Hi Kayhan,
that is a lot of information in one message.
Let me try to digest what you are reporting here. I gather that you defined profile C2RS*.* in the STARTED class. You permitted READ access to the IDs STCGRP, C2RSERVE, and IBMUSER for this profile. These permissions are irrelevant, RACF does not use them. I suggest that you remove these permissions.
What is important is what did you define in the STDATA segment of STARTED profile C2RS*.*?
In the STDATA segment, you specify which user ID the C2RSERVE started task uses (probably you defined C2RSERVE) and to which group this user ID must be connected (probably you defined STCGRP here). For the specified user ID and group ID, you can then check in their OMVS segment which UID you assigned to the user ID (C2RSERVE), and which GID to the group (STCGRP).
I do not quite understand what you mean with the sentence "I attended the STCGRP and C2RSERVE to the BPX.SUPERUSER profile."?
Do you mean that you permitted these IDs access to this profile. That permission allows user ID C2RSERVE to switch to SUPERUSER mode (UID(0)), but the script that you run doesn't switch to SUPERUSER mode. You can see in the violation message EFFECTIVE UID(0000000077) EFFECTIVE GID(0000000005) that user ID C2RSERVE is using UID(77) and group STCGRP uses GID(5).
The output of your ls -alt command reveals that the owner of the file is IBMUSER and the group owner is OMVSGRP. When you issue command ls -ant instead, you see the owning UID and GID for /u/c2rserve/server1//bin. My guess is that the owning UID and GID do not match UID(77) and GID(5).
Changing the owning UID to 77 and GID to 5 for /u/c2rserve/server1//bin will probably resolve this access issue.
I hope that you find this information helpful.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Delft
+31643351728
------------------------------
Original Message:
Sent: Tue December 01, 2020 02:10 PM
From: Kayhan Tanriverir
Subject: ICH408I error during Setup and use of the zSecure Visual Server 2.4.0
Greetings all,
I completed the installation of the zSecure Visual Server 2.4.0, but I am receiving the following error when I start up C2RSERVE.
ICH408I USER(C2RSERVE) GROUP(STCGRP ) NAME(STARTED USER ) 270
/u/c2rserve/server1//bin
CL(DIRACC ) FID(D7F2F2D9E2F3092C000000006C3F006F)
INSUFFICIENT AUTHORITY TO UNLINK
ACCESS INTENT(-W-) ACCESS ALLOWED(OTHER R-X)
EFFECTIVE UID(0000000077) EFFECTIVE GID(0000000005)
STCGRP is started group. C2RSERVE is a member of started group.
CLASS NAME
----- ----
STARTED C2RS*.* (G)
USER ACCESS
---- ------
STCGRP READ
C2RSERVE READ
IBMUSER READ
I attended STCGRP and C2RSERVE to the BPX.SUPERUSER profile. I tried chown and chmod commands but they are not effected.
I used the following command
chmod -R g+rwx /u/c2rserve/server1//bin
but didn't work.
The status of directory in omvs is as follows.
Ö ls -alt /u/c2rserve/server1//bin
lrwxrwxrwx 1 IBMUSER OMVSGRP 19 Dec 1 14:41 /u/c2rserve/server1//bin –
> /usr/lpp/c2r/V2R4M0
Ö
I would greatly appreciate it if you kindly give me some feedback.
iyi çalışmalar, saygılar / Regards
________________________________________________
Kayhan TANRIVERİR
Senior Systems Programmer & Consultant
VBT Bilgi Teknolojileri A.Ş
www.vbt.com.tr